Ensuring compliance with digital lending regulations following the Data Protection Act

By Gaurav SharmaChief Compliance Officer, F​incfriends

India is at the forefront of harnessing the benefits of sequential technological advances while monitoring their rampant penetration. As the economy becomes a robust economy, the interplay of technology and credit creates both opportunities and threats. In a significant step to address data privacy and security risks, the RBI has introduced a number of strategic imperatives to ensure greater transparency on data sharing relationships and a layer of transparency in digital lending operations.

Core branches of regulatory data requirements have emerged in the form of the RBI’s digital lending guidelines, which prioritize data protection and privacy. While these guidelines successfully highlighted and addressed heterogeneity in lending practices by bringing unregulated lenders into the regulated space, their limited scope did not extend to non-lending digital entities. This, in turn, created the need to add a layer of data protection, which further paved the way for India’s first Digital Personal Data Protection Act.

Privacy under the Digital Personal Data Protection Act (DPDPA)

Capitalizing on the need for a comprehensive data management framework for digital lenders, the Digital Personal Data Protection Act symbolizes a significant step towards achieving full data protection and privacy. With an increased focus on empowering lenders, DPDPA takes the security of customer data into account and moves towards developing effective privacy management programs to effectively mitigate business and reputational risks.

The financial services industry has an opportunity to give lenders more power over data processing simply by adhering to these strict guidelines. Moreover, these guidelines also act as a bridge to address inconsistencies in the current lending framework and build a network of transparent and future-ready digital lenders. While this sudden transition may seem boring right now, it is key to creating a customer-centric digital lending ecosystem.

The interplay of the digital lending framework and the DPDPA guidelines

Driven by favorable socio-economic factors and increased proliferation of digital lending platforms, the Indian digital consumer lending market is expected to cross the $720 billion mark by 2030. This growth is further enhanced by the pool of lucrative opportunities and simplified access to loans that can be accredited on digital lending platforms, which have helped the underserved segment to raise funds quickly without stringent documentation and processing. However, this also means neglecting customer data privacy, making DPDPA a strategic imperative.

The introduction of the DPDPA guidelines in the digital lending space marks the beginning of a renewed regulatory framework that addresses, among others, data privacy, customer protection, information security and outsourcing activities. Implementation of these guidelines requires lenders to adopt a differentiated approach and consider the experience gained under previous RBI guidelines. Generally, to comply with these guidelines, digital lenders must only record data as needed after obtaining appropriate consent.

Implications of the Data Protection Act

Following the Data Protection Act, all digital platforms working with regulated lending entities will be referred to as “data processors” and will have to comply with DPDPA standards. Since the digital lending process involves assessing customer data to grant credit and reduce fraud risk, the DPDPA has mandated all lenders to obtain customer consent before assessing credit availability for more transparent risk management.

Additionally, DPDPA standards have inhibited the outsourcing of customer management activities. These can only continue if they are subject to outsourcing agreements within a strict framework. Moreover, digital lending players are also required to ensure that the customer data management cycle is compliant with DPDPA rules, which may impact various stages of the lending process, including onboarding and building customer relationships.

Final thoughts

Given the digital lending industry’s potential to continue to grow, it is essential that lending platforms adhere to the DPDPA guidelines as a basis for ethically managing customer data. While it may not be easy to implement, the benefits of data security and increased trust make this move critical. With the potential to create a digital lending ecosystem characterized by the pillars of data protection and security, the Data Protection Act is key to nurturing a tamper-proof and inclusive economy in the long term.